Cybersecurity researchers at security company Forescout analysed over 19 million Internet of Things-connected devices deployed across businesses and industry to determine the riskiest ones to connect to.
Risk was determined by considering the range and severity of vulnerabilities in the types of devices, as well as the number of internet-facing ports – along with how the device could be abused if compromised, and the impact that abuse could have across the wider network.
Researchers found that some of the IoT products that are most at risk are some of the most commonly deployed across smart homes and workplaces.
According to Forescout’s research team, Vedere Labs, IP cameras are the riskiest IoT devices because they’re commonly exposed to the internet, often only secured with a weak or default password – if the device requires a password at all – and they can have easy-to-exploit unpatched vulnerabilities.
Also: The scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threats
That situation makes them a tempting target for malicious hackers, especially if they’re on a flat network, which means breaching the camera can be used as a gateway to other, more valuable targets such as computers and servers.
“These vulnerable cameras can be used by attackers for initial access to a network, lateral movement on a compromised network or to proxy command and control traffic to the internet,” Daniel dos Santos, head of security research at Forescout, told ZDNET.
Several malicious hacking groups are reported to have used vulnerabilities in IP cameras to gain initial entry into networks – and Forescout has previously warned that vulnerabilities in cameras could be used as an entry point for ransomware attacks.
Many VoIP and video-conference systems also suffer from similar vulnerabilities to those found in IP cameras – and they’ve also been used by cyber attackers as a gateway for wide-ranging malicious hacking campaigns.
VoIP and video-conferencing tools are a common feature in enterprise environments, meaning that there’s plenty of opportunities for cyber criminals to target them, especially if they’re not secured properly.
Researchers have also listed ATMs as a vulnerable IoT device, citing how they’re business-critical in financial organizations and that they’re often on the same network as security cameras, which as detailed, can be vulnerable to remote access – therefore, providing attackers with a route to the ATM that can be exploited.
“Attackers can abuse internet-connected ATMs because they often run legacy operating systems such as Windows 7 or XP, which contain many known vulnerabilities allowing for remote-code execution,” said dos Santos.
Also: The two smart devices I will never install in my house
Printers are also detailed as one of the most significant IoT risks to networks – not only are they commonplace in offices, but specialized printers are also used in other areas, such as printing tickets or wristbands for events.
“Although printers are not widely associated with cyber risk, they should be,” warns the report, detailing how the devices, like IP cameras, often contain security vulnerabilities – and that they’re often connected to other sensitive devices, which attackers could access after successfully compromising a printer.
In addition to the risk of IoT devices being exploited to gain wider access to networks, compromised IoT devices can also be taken control of and forced into botnets, which are used to conduct distributed denial of service attacks against others – and the owner of the infected device may never know this is the case.
While some responsibility for securing devices needs to fall on users – for example, by ensuring default passwords aren’t being used, security patches are applied and that risky devices are not on the same part of the network as everything else – dos Santos argued that it’s vital that device vendors also take action to ensure their products are as secure as possible.
“Cybersecurity is a shared responsibility between device manufacturers and users. Manufacturers must ensure they employ secure software development lifecycles that include processes such as code reviews, vulnerability scanning, and penetration testing,” he said.
“Users must make sure they configure and deploy devices in a way that does not expose them to unnecessary risk by patching found vulnerabilities, hardening devices and implementing network segmentation,” dos Santos added.